On Thursday, CISA warned U.S. federal businesses to safe their techniques in opposition to ongoing assaults exploiting a high-severity vulnerability within the Chrome net browser.
Solidlab safety researcher Vsevolod Kokorin found the flaw (CVE-2025-4664) and shared technical particulars on-line on Could fifth. Google launched safety updates to patch it on Wednesday.
As Kokorin defined, the vulnerability is due to inadequate coverage enforcement in Google Chrome’s Loader part, and profitable exploitation can permit distant attackers to leak cross-origin knowledge through maliciously crafted HTML pages.
“You in all probability know that not like different browsers, Chrome resolves the Hyperlink header on subresource requests. However what’s the issue? The difficulty is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the complete question parameters,” Kokorin famous.
“Question parameters can include delicate knowledge – for instance, in OAuth flows, this may result in an Account Takeover. Builders not often contemplate the potential for stealing question parameters through a picture from a Third-party useful resource.”
Whereas Google did not disclose if the vulnerability was beforehand abused in assaults or if it is nonetheless being exploited, it warned in a safety advisory that it has a public exploit, which is the way it normally hints at energetic exploitation.
Flagged as actively exploited
Someday later, CISA confirmed CVE-2025-4664 is being abused within the wild and added it to the Recognized Exploited Vulnerabilities catalog, which lists safety flaws actively exploited in assaults.
As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Govt Department (FCEB) businesses should patch their Chrome set up inside three weeks, by Could seventh, to safe their techniques in opposition to potential breaches.
Whereas this directive solely applies to federal businesses, all community defenders are suggested to prioritize patching this vulnerability as quickly as potential.
“A majority of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” the cybersecurity company warned.
That is the second actively exploited Chrome zero-day patched by Google this yr, after one other high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to focus on Russian authorities organizations, media shops, and academic establishments in cyber-espionage assaults.
Kaspersky researchers who noticed the zero-day assaults stated that the risk actors used CVE-2025-2783 exploits to bypass Google Chrome’s sandbox protections and infect targets with malware.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and find out how to defend in opposition to them.
